Unintentional Insider Threats

--Originally published at Diego's Password

I want to focus this blog post on the talk we had last session. It was surprising and reveling that the bast majority of attacks are either social hacks or just due to mistakes and bad practices. Such as the password in the monitor.

I think it’s pretty clear what unintentional security issues are, at the end not everyone is prepared and has knowledge of the threats we all face everyday and how to protect ourselves. I want to talk about the ways that we as engineers and probably employers have to prevent this issues.

SEI_Software_Engineering_Institute.png

There’s a study from the Software Engineering Institute called Unintentional Insider Threats: A Foundational Study. I’ll link it here. It is very interesting, they talk specially about the human factor and common mistakes. I’ll base this blog post on that paper.

This paper is a research of the unintentional security issues, it’s reasons and how to prevent them. Here’s their definition.

An unintentional insider threat is (1) a current or former employee, contractor, or business partner (2) who has or had authorized access to an organization’s network, system, or data and who, (3) through action or inaction without malicious intent,1 (4) causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.

Lets review the point number 3. It’s basically saying that it wasn’t the employee intention to harm the company, but he made an action that caused it. Going along with the article, it displays the specific actions that are causing the issues and in which percent. Some of the reasons investigated are the followings.

  • Sensitive information posted publicly on a website, mishandled, or sent to the wrong party via email, fax, or mail.
  • An outsider’s electronic entry acquired through social engineering and carried
    Spongebob-Eagerly-Awaits-The-Start-Of-Boating-School.gif
    via software, such as malware and spyware.
  • Lost, discarded, or stolen non- electronic records, such as paper documents.
  • Lost, discarded, or stolen data storage device, such as a laptop, PDA, smart phone, portable memory device, CD, hard drive, or data tape.

The study shows that 49% of the cases where associated with the first two. Either the employee is publicly sharing sensitive data, or there’s spyware in he’s computer, but at the end it was acquired through social engineering. Out of the 49%, 23% was data leak through websites and 20% through email. What is interesting is that, this is the most common reason with almost half of the cases associated, and it was just manner of data privacy for the company and complete human factor.

The next factor, with 28% is the last one. An employee lost a USB drive or his cellphone. In this point we could be talking about having security measures for data encryption. Mac for examples has a very easy to use hard drive encryption, same for USBs or external  hard drives. In the case of smartphones having and efficient passcode. The paper talks about all the measures we as engineers could implement and share with the employees.

The last cause with meaningful percentage was’t caused by the employee. With 17% is plain hacking. I said it was not fault of the employee because I believe that keeping the computers updated and with a proper antivirus is responsibility  of the security engineer. Now that we know the reasons, we can review the solutions. The institute states the following measures.

Human factors and training strategies:

  • Enhance awareness of insider threat, including unintentional insider threat.
  • Heighten motivation to be wary of insider threat risks.
  • Train employees to recognize phishing and other social media threat vectors.
  • Engender process discipline to encourage adherence to policies and guidelines.
  • Train continuously to maintain proper level of knowledge, skills, and ability.
  • Conduct training on and improve awareness of risk perception and cognitive biases that affect decision making.
  • Improve human factors and usability of security tools.
  • Improve usability of software to reduce likelihood of system-induced human error.

    Spongebob-Eagerly-Awaits-The-Start-Of-Boating-School.gif

So training, share our knowledge with all the participants and it will prevent at least 77% of the issues. I encourage the reader to give the paper at least a quick read. It is really interesting how simple actions can cause spyware infiltration or how simple the solutions can be, instead of investing thousand of dollars in technical security we should focus more on training the employees and just be aware of all the risks the smallest link in  company can face.